Heartland Bleeds Data, Potential Victims Could Number Millions

Credit card processor Heartland Payment Systems has disclosed a security breach last year that potentially gave hackers access to hundreds of millions of credit and debit card numbers. The loss could result in unauthorized credit card purchases, though Heartland says no Social Security numbers were lost, lessening the likelihood of full-blown ID theft. Heartland was PCI compliant.

By Walaika Haskins
Jan 21, 2009 3:00 PM PT

Massive credit card payment processor Heartland Payment Systems (HPS) disclosed Tuesday that a security breach within its processing system some time in 2008 resulted in the potential exposure of millions of credit card and debit card numbers.

No cardholder Social Security numbers, addresses or telephone numbers have been compromised, and the intrusion is believed to have been contained, according to the company.

The sort of data exposed by the breach could be used to carry out unauthorized purchases using victims' existing credit and debit cards.

The breach was detected after HPS was alerted to suspicious activity concerning processed card transactions by Visa and Mastercard. The company launched an investigation and last week found malicious software that compromised data in its network.

"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands. We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," said Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer.

History-Making Breach

"This breach is extremely significant, and is perhaps the single largest theft of consumer data to date. Heartland has yet to confirm how long ago this penetration occurred, or how many records are at risk. What we do know is that they've stated records of 175,000 out of 250,000 of their retailers were potentially compromised. It is likely tens of millions of credit card and debit cards details have been stolen," Michael Argast, a security analyst at Sophos, told the E-Commerce Times.

Although HPS has not provided details about how the intrusion occurred, Argast said it could have happened in two ways. The first is a combination of accidental breaches -- non-targeted malware -- coupled with the loss of a device by an employee.

"The second, much more likely in this type of loss, is a targeted attack -- the attackers likely used a multi-stage penetration that involved delivering malware via a vulnerability -- an exploit or social engineering attack, followed by the sniffer that Heartland found, which allowed the hackers to intercept the data in transit and then send it out of the network," he explained.

Rethinking Security

Security analysts and regulators are particularly concerned about the breach because HPS had been Payment Card Industry Data Security Standard (PCI-DSS)-audited and certified. Created by Visa and Mastercard, PCI-DSS is a worldwide security standard comprised of more than 200 requirements for any company that deals with credit cards.

"Heartland Payment Systems are part of the industry's payment and data security standards. What this attack demonstrates is that security is only as strong as its weakest link. This begs the question, since HPS had complied with the security standard they were supposed to as a processor, whether those standards are enough," Gretchen Hellman, vice president of security solutions at Vormetric, told the E-Commerce Times.

This was a very sophisticated attack, Hellman noted, something that hasn't been seen before. Typically following an attack, talk turns to what the IT department should have done. However, security is something that comes down from the CEO and board of directors.

"IT is only as good as the funding provided for it. Some of the rethinking needs to go into the way we approach security in this regulated world. Even though companies comply with these regulations, compliance apparently is not enough. The PCI is a list of items, but security needs are much more sophisticated than a list. It is a combination of people, processes and technology. In this regulated world, meeting the regulations is one thing, but it doesn't mean you're protected," she continued.

Transaction processing companies in particular need to pay very close attention to this breach. The fact that the attacker was able to capture data using a sniffer shows a particular weakness in the measures taken, said Argast.

"Encryption needs to be end-to-end between the device capturing the details and the server validating them, so even if the internal network is breached the data is secure. Layered on top of that, strong data leakage protection on the server to prevent hackers from being able to move data off would be very advisable," he pointed out.

Securing Security

More specifically, corporate executives need to make sure that data cannot be transmitted out to unrecognized servers and that they are preventing known and unknown malware from residing on their systems, said Avivah Litan, a Gartner analyst.

"I don't have the specifics, but I imagine the criminals used under-the-radar malware that was not detected by the controls Heartland had in place. Also, I am left to wonder how the crooks got the data out of their system -- a firewall policy should preclude such data transfers to unrecognized servers," she told the E-Commerce Times.

In addition, continuous file integrity and configuration change monitoring should help provide greater security even though it is not PCI-required, Litan continued.

As a matter of best practice, security policies should be evaluated on a consistent, regular basis. Organizations such as Heartland, which have data considered extremely valuable by attackers, need to be especially vigilant and go above and beyond certifications such as PCI, Argast advised.

"There should be a minimum of an annual evaluation for most organizations. The depth of the evaluation and effort placed into it may depend on the value of their data, but the threat and threat vectors are changing so rapidly that yesterday's defenses can become quickly overwhelmed by today's malicious technology. Organizations like Heartland, which are very attractive targets for hackers, need to have security analysts that are aware of changes in the threat and are able to adjust their security policies rapidly," he added.

HPS and security professionals both suggest that consumers pay close attention to their credit card statements. However, Argast recommends that anyone affected by the breach request a new credit card from their bank.

"Thefts are often designed to fall below the radar of notice. It isn't appropriate to put the burden of security on the consumer in the case of this sort of loss. While card replacements are expensive due to the scale of the attack, they are the only surefire way to ensure that theft will not occur," he noted.